RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite [v3]
Artur Barashev
abarashev at openjdk.org
Tue Nov 5 21:56:30 UTC 2024
On Tue, 5 Nov 2024 21:36:12 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>>
>> "Cipher suites must start with TLS_" doc update
>
> src/java.base/share/conf/security/java.security line 780:
>
>> 778: # syntax of the disabled algorithm string. Additionally, TLS cipher suites
>> 779: # can be disabled here using "*" wildcard syntax. For example "TLS_RSA_*"
>> 780: # disables all cipher suites that start with "TLS_RSA_". Only the algorithms
>
> s/the algorithms/cipher suites/
> s/have/have a/
>
> Can you only have one wildcard and must it have nothing after it? If so, we should also state those constraints.
- Will do. I actually used `algorithms` specifically to avoid confusion since the property is called `jdk.tls.disabledAlgorithms`. But I guess `cipher suites` works well too given the context.
- About using only one wildcard: we actually currently allow pretty much full regex syntax as long as at least one "*" is present, we only replace "*" with ".*" internally. One wildcard may not be enough to disable some cipher suites in the future. I will update the description that multiple wildcards are allowed.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21841#discussion_r1830051016
More information about the security-dev
mailing list